How to Remove the WP-VCD.php Malware From Your WordPress Site?

Malware From Your WordPress Site
Malware From Your WordPress Site

wp-vcd.php is One thing that looks like this has been flagged by the WordPress protection plugin:

Backdoor: Malicious code, PHP/wp-vcd.5473;

And now, you have a bunch of questions:

  • What is wp-vcd.php malware?
  • What does it mean for your site?
  • How did you even get infected?
  • Can you remove it safely?
  • Should you even pay attention to the warning or is it a false positive?

The only trouble is…

…you don’t exactly know how to ask.

Scenario #1:

It’s also likely that you have already attempted to eliminate this and found that it can be very difficult to delete this malware. Literally anywhere, it will infect your website and there are so many versions of this virus to even keep track of it.

Scenario #2:

You may have even managed to delete the virus wp-vcd.php from your WordPress account. But then you figure out the wp-vcd.php is more tenacious and keeps coming back than measles!

Or, Scenario #3:

Maybe this is the first time this ransomware has hit you.

In such a situation, it’s natural to feel lost, frustrated, and vulnerable.

With this ransomware, one of the main concerns is that it is not quite visual.

You can’t imagine your company getting ruined by it.

The hardest part is that to really identify the signs, the symptoms are very likely to ignore and require some technical expertise from the end.

There are a few here:

This ransomware actually falls under the radar in order to be really upfront with you, to the untrained eye.

No concerns, though.

We’ll teach you how to disinfect your site in this article and take steps to stop it from once again infecting your site.

Let’s just dive in.

What is the WP-VCD Malware and What Does It Do?

The ‘wp-vcd.php’ malware is a piece of malicious PHP code that looks something like this:

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
switch ($_REQUEST['action'])
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))

The way the malware wp-vcd.php functions is this:

  • Try to fetch files that do not exist on your web
  • This would force WordPress to attempt to search the non-existent file again if the file is not found.
  • This transforms into an endless loop and hogs all the energy of your server

In short: the malware triggers super-slow running of the web. It can also force your web host to suspend your account for using so many server resources in certain instances!

But that’s not the only thing the malware does with wp-vcd.php.

It also provides admin links to WordPress web users that the hacker will use to access the site any time they please:

ini_set('display_errors', 0);

$GLOBALS['<b>WP_CD_CODE</b>'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)

In all WordPress core files and directories, the malware typically replicates itself.

Why does it matter with wp-vcd.php?

Easy- It looks like it is part of the actual WordPress code on the surface. So, it’s very hard to even recognise it as a malicious code.

Around the same time, by injecting malicious ties to the file, like a WordPress sleeper cell, this code can also wait secretly for orders from a hacker.

Not cool.

So, how are we going to get rid of this?

Next, that’s up.

How to Remove the WP-VCD Malware From Your WordPress Site?

Two approaches to scrub the web are:

  • Using a virus scanner and a cleaner plugin for WordPress
  • Manually delete the malware (NOT RECOMMENDED)

We’ll walk you in both directions.

Never use the manual form, though, in our professional view.

And if you delete one extra semicolon from the file, it’s downright unsafe and will totally wreck the web (that’s right!).

Let’s get this done.

Cleaning Your Site Using a WordPress Security Plugin

First things first—are you still a member of MalCare?

Ok, if so, then rest comfortable.

Seriously, you’ve got it way better than any other individuals afflicted with this malware.

But just in case you’re not yet using MalCare, sign up for your site’s FREE scan right now.

MalCare will quickly recognise the areas of the site have been infected by the malware, unlike most WordPress malware scanners and cleaners out there. This makes it very quick for our 1-click automatic cleaner to repair your site without hurting it in the process.

MalCare operates on an algorithm for learning.

This suggests that the tougher the virus is, the harder it attacks. And the more it sees malware, the better it gets.
MalCare will give you an email warning the second your site is compromised, and Slack will send you a notification like this:


From this email, click on the link that says, “MalCare Dashboard”. That will take you to the list of sites protected by MalCare.


Click on the site that you want to cleanup. You’ll see the site dashboard screen:


See the giant, shiny, red button that says, ‘Hacked’? That implies that on your web, MalCare has found malware. You can see a button right below the alert that says, ‘Auto-Clean’.

Click the button.

And you’re done!

If you’re using other common anti-malware plugins, and you’ve already tried to use the guidelines for your security plugin…

You found that they just weren’t fixing the dilemma.

That’s OK. You can now scrub the site with MalCare.

Setting up MalCare takes less than a minute, practically. Or, you can try manually cleaning the site. Your appeal!

Pro Tip: Instead, a WordPress management firm that also provides WordPress security services may also be employed.

Cleaning the WP-VCD.PHP Malware From Your Site Manually

That’s a tricky one.

We’re not going to lie—this is something we’re even scared of.

Malware such as wp-vcd.php will keep mutating and it’s not even amusing that there are so many different versions of the same code.

Having said that, there are few simple things you should check out.

In common files and directories, searching for malicious code (wp-vcd.php)

Hackers continue to discover new avenues for malicious code to be covered. This makes it very difficult for even qualified experts to locate corrupted data.

Ok, no hackers have ever been accused of being an unimaginative bunch.

But there are some foundational areas to launch your search:

  • wp-includes/wp-vcd.php
  • wp-includes/wp-tmp.php
  • wp-content/themes/*/functions.php (all themes installed active and inactive)
  • class.wp.php
  • code1.php
  • class.theme-modules.php (inside the theme folder)

Keep reading if this doesn’t work out.

Checking for Variations in Malicious Strings (wp-vcd.php)

Any common bits of code called string patterns are used for most malware.

To narrow down your quest, you should search for these trends.

But here goes nothing:

  • tmpcontentx
  • function wp_temp_setupx
  • wp-tmp.php
  • stripos($tmpcontent, $wp_auth_key)

If these two ideas didn’t work, we have some even more advanced ideas that you can try.

Checking the functions.php File

One of the most popular targets for the WP-VCD.PHP malware is the functions.php file.

So, take a quick look at that file too.

Look for something similar to this:

<?php if (file_exists(dirname(__FILE__) . '/<b>class.theme-modules.php</b>')) 
<b>include_once</b>(dirname(__FILE__) . '/<b>class.theme-modules.php</b>'); ?>

This code tries to find and execute malicious scripts hidden in the hacked theme or plugin. In this instance, it calls a script inside the hacked theme.

Again, this is agonizingly difficult to find at the best of times.

So, we have one last tip for you.

Run a Diffchecker Against WordPress Core Files

A diffchecker is a programme that checks two pieces of code and detects the variations between the two.

This is what you will do here:

  • Download the original core files from the GitHub repository for WordPress.
  • Using cPanel, save the files from your server.
  • Conduct a splitter between the two scripts.

This method is truly time-consuming. Each paper, one at a time, you may have to go through.

How Hackers Make Money Using WP-VCD.PHP

If you’re always curious if the ransomware is still worth deleting…

This you’ll want to know.

Quick answer: Right now, you want to clean your web.

The way that ransomware like this works is that it is a misdirect to the fork bomb that proceeds to overwhelm your server. The actual danger is new altogether.

It is unsafe for WP-VCD.PHP because it generates an admin account for the hacker on your website.

Your site is now part of the hacker’s network until the consumer is signed up.

In other words, now the hacker has total ownership of your website.

They’re making money now through:

  • Stealing and redirecting the traffic to porn pages that pay them for any visit
  • Sale financial details from your platform to everyone who buys it.
  • To distribute the malware to more targets, use your website

If your website forms an integral part of the branding or sales of your brand, you need to clean up your platform right now.

How Your Site Got Infected in the First Place

There are 3 ways in which wp-vcd.php malware will infect your site:

Nulled Themes and Modules

Individuals! Stop using nullified plugins and themes.

No, really, really.

The number one way to get compromised is using Nulled WordPress apps. Many of the wp-vcd.php ransomware instances we see are from nullified themes and plugins.

Nulled WordPress themes and plugins have WP-VCD.PHP snippets so it’s the ideal trojan.

What can you do with wp-vcd.php?

For each plugin, WordPress has millions of free alternatives and there are also millions of free themes. Using one of these instead of a plugin that is empty.

Outdated Themes and Plugins

Outdated themes and plugins have known bugs that can be abused by hackers.

So, take a minute and refresh your plugins and themes.

And if you don’t need a certain plugin or style, just delete it.

The way, it’s a lot better.

Lack of Security Measures

You can secure yourself from multiple issues by using even the most simple security precautions, such as having a virus scanner and a cleaner installed.

But the fact is that no protection plugin is even used by the vast majority of WordPress users.

It is like shooting fish in a barrel for a pro hacker.

That is, in all probability, why your web got corrupted.

How Can You Protect Your Site from Getting Reinfected?

This, people, is the grand finale.

You need to take precautions to deter hackers from infecting your site with WP-VCD.PHP again after you’ve cleaned up your site.

Taking a look at some basic mechanisms of protection:

  • Delete all anonymous users of the admin from your web
  • Stop using zero themes and extensions and swap for free options
  • Often refresh the themes and plug-ins

You should still mount MalCare if you’re not sure how to get it done. This would make your life so much better.

Well, for this one, that’s it. This, potentially, has helped.

Feel free to hit us up on Twitter if you have any questions.

Only until next time!